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Abstract 



We study position-based cryptography in the quantum setting. We examine a class of protocols 
that only require the communication of a single qubit and 2n bits of classical information. To this 
end, we define a new model of communication complexity the garden-hose model, which enables 
us to prove upper bounds on the number of EPR pairs needed to attack such schemes. This 
model furthermore opens up a way to link the security of position-based quantum cryptography 
to traditional complexity theory. 
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Chapter A 

Introduction 



1.1 Quantum Computing and Quantum Information 

In a now-classic talk, Richard Feynman considered the possibilities of simulating quantum physics 
on computers [Fey82]. While it seems to be hard to come up with a way of simulating general 
quantum systems, he conjectured that it might be possible to let quantum systems perform the 
simulation, a so-called universal quantum simulator. The idea that quantum systems might be 
fundamentally better at some computational tasks than computers based on classical physics was 
a starting point for the field of quantum computation. 

The popularity of quantum computation got a big boost after Peter Shor's 1994 discovery 
of an efficient algorithm for factoring integers [Sho99]. Besides it being interesting that a quan- 
tum algorithm was found that performs much better than the best known classical algorithm for 
a well-studied problem, this discovery also has implications for cryptography. The security of 
many cryptographic systems, with RSA being the most widely used, is based on the assumption 
that multiplying two large primes is much easier than factoring the result. If scalable quantum 
computers would become available, much of the current encrypted data-traffic could be broken. 

Despite the effort going into it, it might still take a long time for a large-scale quantum computer 
to be build. Practical quantum computation might even turn out to be impossible, because 
of reasons that are not yet known. Still, currently it seems as though quantum computation 
is consistent with quantum mechanics, and a fundamental impossibility result would be a very 
interesting development. Applying the tools of quantum information has also led to new results 
in classical theoretical computer science, see for example [DdWll]. 

Bennett and Brassard [BB84] developed a system for quantum key distribution. The BB84 
protocol does not depend on the manipulation of large quantum systems, and implementations are 
currently available commercially. The security of the scheme is proven, but recently researchers 
have demonstrated attacks on implementations of this protocol, using technical properties of the 
used detectors. Investigating possible attacks is a currently active area of research on the experi- 
mental side of quantum cryptography. 

Classical information is made up of bits, while a unit of quantum information is called a qubit. 
Instead of the classical bit that can take values and 1, a single qubit can be described as a 
two-dimensional complex unit vector. We say that a qubit can be in a superposition of its basis 
states |0) and |1), named in analogy with and 1 of the classical bit. An important characteristic 
of multiplc-qubit states is the ability of qubits to be entangled. A quantum state is entangled 
when the system of multiple qubits can not be separated into individual qubits without loss of 
information. The EPR pair or Bell state is the maximally entangled state on two qubits, used 
in many of the well-known results of quantum information such as telcportation and super-dense 
coding. 



2 



1.2 Position-based quantum cryptography 



The goal of position-based cryptography is to perform cryptographic tasks using location as a 
credential. The general concept of position-based cryptography was introduced by Chandran, 
Goyal, Moriarti and Ostrovsky [CGMO09]. One possible example would be a scheme that encrypts 
a message in such a way that this message can only be read at a certain location, like a military 
base. Position authentication is another example of a position-based cryptographic task; there 
are many thinkable scenarios in which it would be very useful to be assured that the sender of a 
message is indeed at the claimed location. 

One of the basic tasks of position-based cryptography is position verification. We have a prover 
P trying to convince a set of verifiers Vq, . . . , Vk, spread around in space, that P is present at 
a specific position pos. The first idea for such a protocol is a technique called distance bound- 
ing [BC94]. Each verifier sends a random string to the prover, using radio or light signals, and 
measures how long it takes for the prover to respond with this string. Because the signal cannot 
travel faster than the speed of light, each verifier can upper bound the distance from the prover. 

Before the recent formulation of a general framework for position-based cryptography, this 
problem of secure positioning has been studied in the field of wireless security, and there have been 
several proposals for this task ([BC94, SSW03, VN04, Bus04, CH05, SP05, ZLFW06, CCS06]). 

Although the security of the proposed protocols can be proven against a single attacker, they 
can be broken by multiple colluding adversaries. Multiple adversaries working together can send 
a copy of the string sent by the nearest verifier to all other partners in crime. Each adversary can 
then emulate the actions of the honest prover to its closest verifier. It was shown by Chandran 
et al. [CGMO09] that such an attack is always possible in the classical world, when not making 
any extra assumptions. Their paper does give a scheme where secure position verification can 
be achieved, when restricting the adversaries by assuming there is an upper limit to the amount 
of information they can intercept: the Bounded Retrieval Model. Assuming bounded retrieval 
might not be realistic in every setting, so the next question was whether other extensions might 
be possible to achieve better security. Attention turned to the idea of using quantum information 
instead of classical information. Because the general classical attack depends on the ability of the 
adversaries to simultaneously keep information and send it to all other adversaries, researchers 
hoped that the impossibility of copying quantum information might make an attack impossible. 
(See Section 2.1.3 for the quantum no-cloning theorem.) 

The first schemes for position-based quantum cryptography were investigated by Kent in 2002 
under the name of quantum tagging. Together with Munro, Spiller and Beausoleil, a U.S. patent 
was granted for this protocol in 2006. Their results have appeared in the scientific literature only 
in 2010 [KMS11]. This paper considered several different schemes, and also showed attacks on 
these schemes. Afterwards, multiple other schemes have been proposed, but all eventually turned 
out to be susceptible to attacks. 

Finally a general impossibility result was given by Buhrman, Chandran, Fehr, Gelles, Goyal, 
Ostrovsky, and Schaffncr [BCF+10], showing that every quantum protocol can be broken. The 
construction in this general impossibility result uses a doubly exponential amount of entangle- 
ment. A new construction was recently given by Beigi and Konig reducing this to an exponential 
amount [BK11]. 

Even though it has been shown that any scheme for position-based quantum cryptography 
can be broken, these general attacks use an amount of entanglement that is too large for use in 
practical settings. Even when the honest provers use a small state, the dishonest players need an 
astronomical amount of EPR pairs to perform the attack described in the impossibility proofs. 
This brings us to the following question, which is also the central topic of this thesis: How much 
entanglement is needed to break specific schemes for quantum position verification? 

Answers to this question will take the form of lower bounds and upper bounds. The upper 
bounds typically consist of a specific attack on a scheme, showing how it can be broken using a 
certain amount of entanglement. A lower bound is generally harder to prove, since it has to say 
something about the amount of resources needed for any attack. In their recent paper, Beigi and 
Konig give a scheme, using Mutually Unbiased Bases, that needs at least a linear number of EPR 
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pairs to break for honest players [BK11]. This thesis adds a new upper bound for this scheme, 
showing that the lower bound is tight up to a small constant. 

In this thesis, we investigate a class of schemes that involves only a single qubit, and 2n classical 
bits. Such schemes were first considered by Kent et al. [KMS11]. We focus on the one-dimensional 
set-up, but the schemes easily generalize to three-dimensional space. Besides the assumption that 
all communication happens at the speed of light, we assume that all parties do not need time to 
process the verifiers' messages and can perform computations instantaneously. We also assume 
that the verifiers have clocks that are synchronized and accurate, and that the verifiers have a 
private channel over which they can coordinate their actions. 

The prover wants to convince the two verifiers, Vo and Vi, that he is at position pos on the 
line in between them. Vq sends a qubit \<j>) prepared in a random basis to P. In addition, Vo 
sends a string x e {0, 1}™ and V\ a string y <G {0, 1}™ to P. The verifiers Vb and V\ time their 
actions such that the messages arrive at the location of the honest prover at the same time. After 
receiving \<f>),x and y, P computes a predetermined Boolean function f(x,y). He sends |</>) to Vo 
if f(x,y) = and to V\ otherwise. Vo and V\ check that they receive the correct qubit in time 
corresponding to pos and measure the received qubit in the basis corresponding to which it was 
prepared. In order to cheat the scheme, we imagine two provers P and Pi on cither side of the 
claimed position pos, who try to simulate the correct behavior of an honest P at pos. 

Looking from the perspective of the adversaries, we can describe their task in the following way. 
Po receives \(j>),x and Pi receives y. They are allowed to simultaneously send a single message to 
each other such that upon receiving that message they both know f(x, y) and if f(x, y) = then P 
still has \(p), otherwise Pi has it in his possession. The attack described in [KMS11] accomplishes 
this task, for any function /, but requires an amount of entanglement that is exponential in n. 
In this thesis we introduce a complexity measure which relates to the complexity of computing 
f(x,y), the garden-hose complexity The garden-hose complexity gives an upper bound on the 
number of EPR pairs the adversaries need to break the one-qubit scheme that corresponds to the 
function /. 

These protocols are interesting to consider, because the quantum actions of the honest prover 
are very simple. All the honest prover has to do is route a qubit to the correct location, while the 
verifiers have to measure in the correct basis, actions which are not much harder than those needed 
in the BB84 protocol, which is already technologically feasible. If a gap can be shown between the 
difficulty of the actions of the honest prover and those of the adversaries, this protocol would be 
a good candidate to investigate further for use in real-life settings. The hope is that for functions 
f(x,y) that are "complicated enough", the amount of entanglement needed to successfully break 
the protocol grows at least linearly in the bit length n of the classical strings x, y; we would then 
require more classical computing power of the honest prover, whereas more quantum resources are 
required by the adversary to break the protocol. To the best of our knowledge, such a trade-off 
has never been observed for a quantum-cryptographic protocol. 

1.3 Complexity Theory 

The field of computational complexity theory is concerned with the study of how much compu- 
tational resources are required to solve problems. These resources always have to be defined in 
relation to a model of computation. 

One of the most well-studied models of computation is the Turing machine, a hypothetical 
device that manipulates symbols on a scratch pad according to a set of rules. To be more precise, 
the memory of a Turing machine consists of an input tape, one or more work tapes, and an output 
tape. Every tape has a tape head that can read and write symbols, one cell at a time. Every time 
step, the tape head can move one cell to the left or to the right. A Turing machine has a finite set 
of states, and the state register of the machine always contains one of these states. To determine 
the actions of the Turing machine, the machine has a transition function that, given the current 
state and the symbols under the tape heads, determines the next state in the state register, if and 
what to write under the heads, and the movement of the heads. 
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The Church- Turing thesis states that if a problem can be solved by an algorithm, there ex- 
ists a Turing machine that solves the problem. When looking at the hardness of a problem, we 
are concerned with how efficiently we can solve it; we bound resources (such as space used or 
time used) and then examine which problems can still be solved then. Many variants of the 
described (deterministic) Turing machine has been studied, such probabilistic Turing machines, 
non-deterministic Turing machines, and others. Even though these models can still solve the same 
problems in principle, they might differ in which problems they can solve under bounded resources. 
The Turing- machine model is surprisingly robust under small modifications; for example, increas- 
ing the number of tapes, or letting the tape head movements only depend on the input length 
instead of the actual input, does not change the most commonly used complexity classes. 

The first complexity class that we will consider is P. The class P contains all problems that can 
be solved by a deterministic Turing machine using an amount of time (or steps) that is polynomial 
in the input length. This class is often used informally as a notion of efficient computation; when 
a problem is in P, we will often call it easy (for a conventional computer). 

Besides bounding time, it is also possible to bound the amount of tape the Turing machine is 
allowed to write on when solving a problem. The complexity class L contains all problems that 
can be solved by a deterministic Turing machine using a logarithmic amount of space. Complexity 
theory looks at the relation between complexity classes. For example, we can say that L C P, 
meaning that all problems that can be solved in logarithmic space can also be solved in polynomial 
time. As is often the case in complexity theory, we are unable to prove that this inclusion is proper, 
meaning that we can not prove that the classes are not equal. Still, it is widely believed that there 
arc problems in P that are not in L. 

An alternative model of computation to the Turing machine is given by the Boolean circuit. 
A circuit is a directed acyclic graph, where the input nodes (which are vertices with no incoming 
edges) are given by input bits. The non-source vertices are called gates, and represent the logical 
operations OR, AND, and NOT. Complexity measures that can be defined on circuits include 
circuit depth and circuit size. The depth of a circuit is the length of the longest path of an input 
node to the output node. The size of a circuit is defined as the number of gates of the circuit. 

1.4 Contributions of This Thesis 

The main theme of this thesis is the analysis of specific protocols for position-based quantum 
cryptography. Large parts of the thesis are based on the article The Garden-Hose Game and 
Application to Position-Based Quantum Cryptography, by Harry Buhrman, Serge Fehr, Chris- 
tian Schaffncr, and Florian Speelman, which will be presented at QCRYPT 2011 [BFSS11]. 

In Chapter 3 we demonstrate that the protocol proposed by Beigi and Konig [BK11] can be 
broken using a number of EPR pairs that is linear in the number of qubits that the honest player 
has to manipulate. This improves on their exponential upper bound. The new upper bound 
matches their linear lower bound, thereby showing the lower bound is optimal up to a constant 
factor. 

For the rest of the thesis we turn our attention to protocols for position verification using 
only one qubit, complemented with classical information. In Chapter 4 we define the notion of 
garden-hose complexity, capturing the power of a group of attacks on these protocols. If a function 
has garden-hose complexity s, there is a scheme to break the protocol using s EPR pairs. We 
give upper bounds on the garden-hose complexity for several concrete functions, such as equality, 
inner product, and majority. Polynomial upper bounds are also shown for any function that can 
be computed in logarithmic space. 

Considering the limits of the power of this model, we give an almost-linear lower bound for the 
garden-hose complexity of a large group of functions, including equality and bitwise inner product. 
We also show there exist functions having exponential garden-hose complexity. This exponential 
lower bound gives evidence that a general efficient quantum attack, should it exist, has to use 
other ingredients than just teleportation. 

For practical protocols it makes sense to primarily consider functions / which can be computed 
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in polynomial time. As a consequence of our results, we find the following interesting connections 
between the security of the quantum protocol and classical complexity theory. On one hand, the 
assumption that P is not equal to L will be needed to keep the possibility open that there exist 
polynomial-time functions / where a superpolynomial amount of entanglement is needed to break 
our scheme. This also implies a connection in the other direction, if there is an / in P such that 
there is no attack on our scheme using a polynomial number of EPR pairs, then P^L. 

Finally, we give a lower bound for the single-qubit protocol in the quantum case; it is shown 
that the adversaries need to manipulate a number of qubits that is at least logarithmic in the 
length of the classical input, while the honest player only has to act on a single qubit. 

These results are steps towards gaining a better understanding of position-based quantum 
cryptography. It is realistic to assume that the entanglement between the adversaries is bounded. 
The garden-hose model highlights obstacles that a general security proof would have to overcome, 
and gives new upper bounds for the amount of entanglement needed for an attack on a specific 
protocol. The eventual goal is to prove the security of a specific protocol for position-based 
quantum cryptography, under realistic assumptions, so that this new type of cryptography can be 
considered for implementation in the real world. 
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Chapter 

Preliminaries 



2.1 Basic Quantum Information 

For an introduction into quantum information see [NCOO]. We will mostly use this section to fix 
notation. Quantum states can be described as unit vectors in a complex Hilbert space. A Hilbcrt 
space is a complex vector space with an inner product. Throughout this thesis we will typically 
use bra-ket notation, also known as Dirac notation. A quantum mechanical state can be described 
by a vector called a ket. The vector dual to \ip) is written as and is called a bra. The 
inner product between two states \4>) and \4>) is written as (tp\<j)). 

A single qubit is described in a two-dimensional state space. The most common orthonormal 
basis we use for qubits is called the computational basis and is defined as 



10) 



|1) 



We can describe any one-qubit state by a superposition of these basis vectors, enabling us to 
write 

\ip) = a\0) + /3\1) with a,/3eC 



for any one-qubit state Here normalization requires that \a\ 2 + 
we would write this state \ip), and its dual (ip\, as 



1. In vector notation 



(VI = (a* /?*) 



The joint state of multiple quantum systems is a vector in a space that is a tensor product of 
the original spaces. A two-qubit system has computational basis states 



|0)|0) 



|1)|0) 






(°\ 



1 

voy 



|0)|1) = 



1 



(°\ 




VV 



The state space of n qubits has dimension 2™. Not all two-qubit states can be written as the 
tensor product of two one-qubit states. A quantum state that cannot be written as a product of 
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individual qubit states is said to be entangled. A very important example of an entangled state is 
the EPR pair, which will be introduced in the next section. 

The evolution of a closed quantum system is described by a unitary transformation. This 
means that we can describe manipulation of the quantum states as a unitary matrix; a matrix for 
which holds WU = I. 

The Pauli matrices are four unitary matrices that are very common in quantum computing. 
Here we define them as 

<7 :=I:=(J j) <7 i: =X:=^ J 

a 2 :=¥:=(* "*) a 3 := Z := (j ^ 

The Hadamard matrix is a unitary transformation which is defined as 



We write 



|+):= J ff|0) = ^(|0) + |l)) and 
I-) :=ff|l>=^(|0)-|l)) 



for the basis vectors of the Hadamard basis. 



2.1.1 Measurement of Quantum States 

A quantum measurement is described by a collection {M m } of measurement operators, where m 
refers to the measurement outcome. If the state before measurement is \ip), the probability that 
result m occurs is given by 

p(m) = (V^M^) , 
and the state after getting measurement outcome m is 

M m |V> 




Reflecting the fact that probabilities sum to one, we have the completeness relation 

Y J MlM m = l. 

m 

Measurements in the computational basis can be described by measurement operators 

M o = |0)(0| M 1 = |l)(l|, 

while measurements in the Hadamard basis have measurement operators 

M = |+)(+| Mi = |-)<-|. 

All measurement operators we use in this thesis are projective measurements. We call a mea- 
surement a projective measurement if, beside satisfying the completeness relation, the M m are 
orthogonal projectors. The last requirement means that the operators have to be Hermitian, that 
is = M m , and that M m M' m = 5 m .m'M m . Here 5 m , m i is the Kronecker delta. As a conse- 
quence of using projective measurements, measuring the same qubit twice, consecutively, will give 
the same outcome both times. 
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2.1.2 Entanglement and EPR Pairs 

The four different EPR pairs, for Einstein, Podolsky and Rosen, or Bell states are defined as 

|A>o) :=-^(|00> + |ll» 

|A>i> :=^(|01) + |10)) 

\P W ) : =-L(|00)-|ll)) 

\Pu) :=^(|01)-|10)). 

These states will be very often used in this thesis, especially for their use in quantum teleportation 
(see Section 2.1.4). Whenever we will use \(3), we refer to the state |/?oo)- 

A measurement on the state \(3qo}ab has the following property: if qubit A is measured in the 
computational basis, then a uniformly random bit x e {0, 1} is observed and qubit B collapses 
to \x). Similarly, if qubit A is measured in the Hadamard basis, then a uniformly random bit 
x e {0, 1} is observed and qubit B collapses to H\x). 

Using these states, we can define the Bell measurement, which projects two qubits into a Bell 
state, by measurement operators 

M 00 = IAjoXAmI Moi = lAnXAul 

Mio = IftoXftol Afn = \Pn)(Pu\ ■ 

2.1.3 The No-Cloning Theorem 

The no- cloning theorem is a classic result of quantum information which states that it is impossible 
to copy an arbitrary quantum state. This theorem has very important consequences for quantum 
cryptography. Without the impossibility of cloning the BB84 scheme would be insecure, for 
example. The no-cloning theorem is also the reason why the classical attack on schemes for 
position-based cryptography does not generalize to the quantum case. 

Theorem 2.1. There exists no unitary operation U that perfectly copies the state of an arbitrary 
qubit. 

Proof. By contradiction, suppose we have a unitary operation U that performs a copy, so that 
U\ip)\s) = U\tp}\tp) for any possible \ip), where \s) is some starting state that is independent of 
\ip). More specifically, this would imply 



and also 



U(\0)\s)) = |0)|0) 



tf(|l>|*» = |1>|1>. 



But now let us try to copy |+) = -^=(|0) + |1)). Since U is linear, we can use the previous equations 
to get 

U\+)\s) = ^(U\0)\s) + U\l)\8)) = ^(|0)|0) + |1>|1» 
and this is not equal to |+)|+), giving a contradiction. □ 

2.1.4 Quantum Teleportation 

The goal of quantum teleportation is to transfer a quantum state from one location to another by 
only communicating classical information. Teleportation requires pre-shared entanglement among 
the two locations. 
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Let us say Alice wants to telcport a qubit Q to Bob, in an arbitrary unknown state 

|V>Q = a|0} Q + /3|l) Q • 

Alice and Bob share a quantum state \(3oo)ab, where Alice has qubit A and Bob has B. Define 
the total state of their system |W) = \ Poo) ab\iP)q- 

We can rewrite the state of their quantum system as 



|*) = ^=(|0>x|0) B + \1)a\1)b) H0)q + P\l) Q ) 



\MA Q (a\0) B + P\1)b) + |A)1>aqH1>b + P\0)b) 
+ |/3io)aqH0) s - P\1) B ) + \Pu) A Q(a\l) B - P\0) B ) 



Note that if we fill in the \/3 z ) terms, we get exactly the same state as we started with; all that 
happened so far is a re-ordering of terms. Now Alice performs a Bell measurement on qubits A 
and Q, getting an outcome z e {00, 01, 10, 11}. After this measurement, the state Bob holds will 
be equal to cr fc |-0) , where o~k is a Pauli correction depending on the outcome z. Now Alice sends 
the two bits z to Bob. 

We can quickly check that when z = 00, Bob does not have to apply a correction. On z = 01, 
Bob can recover \i[>) by applying a\ = X. When z = 10, Bob has to apply 03 = Z. And when 
z = 11, Bob can recover the original state \?Jj} by applying 02 = Y to his qubit. The Y operation 
does contain an extra factor i in its usual definition, but this only adds a global phase to the 
quantum state, which we can always ignore. With this protocol, Alice can effectively transfer a 
quantum state to Bob, using a pre-shared entangled state and classical information. 

2.2 Barrington's Theorem 

A classic result in computational complexity, Barrington's theorem [Bar89] was a resolution of a 
long-standing open problem concerning the power of a model called bounded-width computations. 
Many theorists believed the model to be not very powerful, and hoped to prove lower bounds in 
the model, until Barrington showed it was able to simulate a large class of circuits. In this thesis, 
we apply the construction Barrington used in his original proof. This construction enables us to 
find strategies for functions computed by this class of circuits in the garden-hose model (Section 
4.4). 

A cycle is a permutation which maps some subset of elements to each other in a cyclic way. 
When we explicitly write out a permutation, we will use cycle notation. In cycle notation, the 
permutation fj, = (ai . . . Ofe) has the action 

di i-> a<2, 1— >■ . . . i-> dk 1— a\. 

So for each index i, we have fi(at) = a i+ i, where dk+i refers back to a\. Any other permutation 
can be written as a product of disjoint cycles. 

In the context of this section, let an instruction over S5 be a triple (i,n,u), where i is the 
index to a bit of the input, and /x and v are permutations in the symmetric group S5. Let e be 
the identity permutation and X\, X2, ■ ■ ■ , x n be a list of the n inputs to the circuit. The instruction 
(i, fi, v) evaluates to n if Xi is true and to v if Xi is false. A width-5 permutation branching program 
(5-PBP) is a sequence of instructions over S5, and it evaluates to the product of the value of 
its instructions. The length of a program is the number of instructions. We will say that a 
permutation program P computes a circuit C with output /1 if it evaluates to a cycle /x whenever 
C is true, and to the identity e if C is false. 
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Barrington's Theorem. Given a boolean circuit C of fan-in two and depth d, with /i a five- cycle 
in S 5 , there is a 5-PBP of length at most A d that evaluates to (i if C evaluates to true and to the 
identity if C evaluates to false. 

Lemma 2.2. A program is independent of its output /i. If a 5-PBP evaluates to fi if C is true 
and to e if C is false, there exists a 5-BPB of equal length that evaluates to a given five-cycle v 
instead of fi. 

Proof. There exists a permutation 9 such that v = O^iO^ 1 . Multiply both permutations in the 
first instruction by 9 on the left, and multiply both parts of the last instruction by O^ 1 on the 
right. The new program has the same length as the old and produces v if C is true and e is C is 
false. □ 

Lemma 2.3. If a permutation branching program P computes C, there is also a program P' of 
equal length that computes the negation of C. 

Proof. Let P compute C with output fx, and let the last instruction be (i,T, v). We make P' 
identical to P except for the last instruction, (i, t/i -1 , v^ 1 ). This new program evaluates to e if 
C is true and to \i~ x if C is false. By Lemma 2.2 we can make it evaluate to any five-cycle. □ 

Lemma 2.4. There are two five-cycles [i\ and ^ in S$ whose commutator is a five-cycle unequal 
to the identity. The commutator of two permutations a and b is defined as aba~ 1 b~ 1 . 

Proof. (12345)(13542)(54321)(24531) = (13254). □ 

Proof of Barrington's theorem. The proof closely follows Barrington's original proof [Bar89]. Let 
C be a circuit of depth d, fan-in two, consisting of AND and OR gates. We prove the statement 
by induction on d. In the base case, if d = 0, the circuit has no gates, so it is easy to use one 
instruction that evaluates correctly to an input (or negation of an input). 

Now assume without loss of generality that for depth greater than zero the output gate of C is 
an AND gate. If the output gate is an OR gate we can use Lemma 2.3 to turn it into an AND gate 
without gaining any length. The inputs to this gate, C\ and C2, are circuits of depth d — 1. By 
the induction hypothesis these circuits can be computed by 5-PBPs of length at most 4 d ~ 1 , call 
these P\ and Pi- Now let P\ compute C\ with output \i\ and P2 compute C2 with output fj,2, with 
/ii and fi2 as defined in Lemma 2.4. By Lemma 2.2 we can choose the output of the programs 
without increasing the length. Let P[ be equal to Pi but instead with output ^ l . Similarly, 
make P2 equal to P2 but with output /i^ 1 . Let the program P be the concatenation P\P2P[P2- 
If either C\ or C2 is false, P evaluates to the identity permutation. If both are true, P evaluates 
to the commutator of /ii and /x 2 , which is a five-cycle. (By the first lemma, we can replace this 
five-cycle by any other.) P has length at most A d . □ 

Corollary. Every problem in NC 1 can be decided by a 5-width permutation branching program 
of polynomial length. 

Proof. If a problem is in NC 1 , there is a circuit C with logarithmic depth d, fan-in two, consisting 
of AND, OR, and NOT gates that decides the problem, by the definition of NC 1 . Having d = 
O(logn), we can use Barrington's theorem to 5-BPB of length at most 4 d = 4°( los ™) that computes 
C. 1 Since 4°( lo s") is polynomial in n, the statement directly follows. □ 



All logarithms in this thesis are with respect to base 2. 
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Chapter 




Attacking a protocol for position 
verification 

3.1 Mutually Unbiased Bases 

We use the following standard definition of mutually unbiased bases. The constructions and 
notations that we base our attack on were introduced in [LBZ02]. For a construction that also 
works for states of dimension other than powers of two, see [BBRV02] . 

Definition 3.1. Two orthonormal bases {\e^)}i=\,... t d an d {|e5)}j=i>— ,<* of C d are called mutually 
unbiased, if |(e"|ej)| 2 = \ holds for all i, j e {1, . . . , d}. 

A Pauli operator on an n-qubit state is the tensor product of n one-qubit Pauli matrices. 
Hence, there are 4™ Pauli operators in total. For i e {0, 1, 2, 3}", we can write the Pauli operator 
Oi as 

n 

k=l 

where is the j-th Pauli matrix acting on qubit k (tensored with the identity on the other 
qubits). 

Excluding the identity, there are 4™ — 1 Pauli operators. These can be partitioned in 2 n + 1 
distinct subsets consisting of 2™ — 1 commuting operators each [LBZ02]. The 2™ common eigen- 
vectors of such a set of 2" — 1 commuting operators define an orthonormal basis. It can be shown 
that for any such partitioning, the resulting 2™ + 1 bases are pairwise mutually unbiased [LBZ02] . 
We denote by \e%) the x-th basis vector of the a-th mutually unbiased basis of this construction, 
where x € {0, 1}" and a £ A for a set A of 2™ + 1 elements. 

In the following, we will exploit a special property of this construction of mutually unbi- 
ased bases in order to attack a protocol for position-verification recently proposed by Beigi and 
Konig [BK11]. In particular, we use the fact that applying a Pauli operator only permutes the 
basis vectors within every mutually unbiased basis, but does not map any basis vector into another 
basis. This property is captured by the following lemma. 

Lemma 3.2. Let U be an arbitrary Pauli operator on n qubits. For arbitrary a G A and x G 
{0,1} , let |e°) be the x-th basis vector of the a-th mutually unbiased basis obtained from the 
construction above. Then, there exists z 6 {0, 1}" such that i7|e°) = |e°). 

Proof. We can write U as 

n 

U=CT ri CT r2 ...CT rn = [[(T rk . 

fe=l 
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Assume |e") is a common eigenvector of an internally commuting subset A of the Pauli operators, 
like described earlier. Denote the 2™ — 1 elements of A by Of with I S {l,...,2 n — 1}. Note that 
CToUi = (TiCTo for i € {0,1,2,3} and <Ji<Tj = (— l) 5i3 «Tjcr, for i,j e {1,2,3} and <5jj the Kronecker 
5-function. Because |e°) is a common eigenvector of the Pauli operators in this set, it holds for 
all I that Of\e%) — A^|e") for some eigenvalue Xg. To prove the claim, we show that U\e") is also 
an eigenvector of all Of, with some (possibly different) eigenvalue X' e . 

n 

OfU\e a x ) = Y[a k ek * k rk \e:) 

fe=l 

n 

= (-l)^n«|e") 

k=l 

= (-l)<*™UO?\e% 
= KUK) , 

where we define \' g := ( — l) at ^ r '^Xi and the function a(r,£) determines the phase arising from the 
commutation relations of the oy fc 's and cr^ fc 's. Because U\e^} is a common eigenvector of all Of, 
there exists z e {0, 1}™ such that \e%) = U\e%). □ 



3.2 The Protocol 

The protocol described in Figure 3.1 uses an (almost) complete set of mutually unbiased bases 
{\e%) x =i,...,2™} ae ^ ' 1 ^ as defined above. The protocol can be seen as a higher-dimensional exten- 
sion of the basic BB84-protocols proposed and analyzed in [KMS11, BCF+10]. In [BK11], Bcigi 
and Konig show that PV MUB is secure against adversaries that share fewer than n/2 EPR pairs and 
are restricted to one round of simultaneous classical communication. They leave open whether the 
protocol remains secure against colluding adversaries that share more entanglement. We answer 
this question here. In the rest of the section, we show that for the construction of MUBs mentioned 
above, it is sufficient for adversaries to share n EPR pairs in order to perfectly break the protocol 
PVmub- It follows that the lower bound on EPR pairs given in [BK11] is optimal up to constant 
factors. 

0. Vo and V\ share common (secret) randomness in the form of uniformly distributed bit 
strings a, x G {0, 1}™. 

1. Vo sends a to P and V\ prepares the state |e°) and sends it to P. The timing is chosen 
such that both the classical information and the quantum state arrive at the prover at 
the same time. 

2. P measures the state in the basis {|e°)}i, getting measurement outcome x € {0,1}™. 
He sends x to both Vo and V\. 

3. Vo and V\ accept if they receive x at times consistent with x being emitted from the 
claimed position in both directions simultaneously, and x = x. 



Figure 3.1: Protocol PV MUB from [BK11] for position- verification using mutually unbiased bases. 



3.3 The Attack 

The attack reported here is very similar to the attack on the BB84-scheme described in [KMS11]. 
The colluding adversaries Pq en Pi set up between the prover 's claimed position and the verifiers 
Vq and V\, intercepting messages from Vq and V\. 
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Adversary P has knowledge of the basis a and Pi gets the state \e%). Our attack shows that 
using n EPR pairs and one round of simultaneous classical communication suffices to determine 
x, and thus breaking protocol PV MUB . We assume that the set of mutually unbiased bases used is 
equivalent to a basis obtained by a partitioning of Pauli operators as described above. To the best 
of our knowledge, any currently known construction of mutually unbiased basis sets of dimension 
2" is of this form. If the used set of mutually unbiased bases differs from one of these by a unitary 
transform, the attack still works by the adversaries just applying this unitary before the first step. 

As soon as Pi receives the state \e° c ), she teleports it to P and forwards the classical outcome 
of the teleportation measurement indicating the needed Pauli correction. Using Lemma 3.2, the 
tclcported state is still a basis vector of the same mutually unbiased basis, i.e. the state Pq has 
before correction is |e°), with z depending on the teleportation measurement outcome. Po measures 
|e") in basis a, getting outcome z which she sends to Pi. 

Now both adversaries know a, z and the teleportation correction, which is all the necessary 
information to obtain x. In principle, they can now reconstruct |e"), apply the Pauli correction 
getting \e%) and measure in basis a. In practice, they can also find x by classically computing 
which x corresponds to which correction, a, and z, instead of needing to reconstruct the entire 
state. 
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The Garden-Hose Game 



4.1 Motivation 

The results of this section are motivated by the study of a particular quantum protocol for secure 
position verification, described in Figure 4.1. The protocol is of the generic form described in 
Section 3.2 of [BCF+10]. In Step 0, the verifiers prepare challenges for the prover. In Step 1, they 
send the challenges, timed in such a way that they all arrive at the same time at the prover. In 
Step 2, the prover computes his answers and sends them back to the verifiers. Finally, in Step 3, 
the verifiers verify the timing and correctness of the answer. 

As in [BCF+10], we consider here for simplicity the case where all players live in one dimension, 
the basic ideas generalize to higher dimensions. In one dimension, we can focus on the case of two 
verifiers Vo, V\ and an honest prover P in between them. 

We minimize the amount of quantum communication in that only one verifier, say Vo, sends a 
qubit to the prover, whereas both verifiers send classical n-bit strings ije {0, 1} that arrive at 
the same time at the prover. We fix a publicly known boolean function / : {0, l} n x {0, 1}" — > {0, 1} 
whose output f(x,y) decides whether the prover has to return the qubit (unchanged) to verifier 
Vo (in case f(x, y) = 0) or to verifier V\ (if f(x, y) = 1). 

0. Vo randomly chooses two n-bit strings x, y € {0, 1}™ and privately sends y to Vi. Vo prepares an 
EPRpair (|0)v|0)f + |1)v|1)p)/-\/2- If f(x,y) = 0, V keeps the qubit in register V. Otherwise, 
Vo sends the qubit in register V privately to Vi. 

1. Vo sends the qubit in register P to the prover P together with the classical n-bit string x. Vi 
sends y so that it arrives at the same time as the information from Vo at P. 

2. P evaluates f(x,y) G {0, 1} and routes the qubit to Vf( x ^ y ). 

3. Vo and Vi accept if the qubit arrives in time at the right verifier and the Bell measurement of 
the received qubit together with the qubit in V yields the correct outcome. 



Figure 4.1: Position- verification scheme PV qubit using one qubit and classical n-bit strings. 

The motivation for considering this protocol is the following: As the protocol uses only one 
qubit which needs to be correctly routed, the honest prover 's quantum actions are trivial to 
perform. His main task is evaluating a classical boolean function / on classical inputs x and y 
whose bit size n can be easily scaled up. On the other hand, our results in this section suggest that 
the adversary's job of successfully attacking the protocol becomes harder and harder for larger 
input strings x,y. The hope is that for "complicated enough" functions f(x,y), the amount of 
EPR pairs needed to successfully break the security of the protocol PV qubit grows (at least) linearly 
in the bit length n of the classical strings x, y. 

If this intuition can be proven to be true, it is a very interesting property of the protocol 
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that we obtain a favorable relation between quantum and classical difficulty of operations in the 
following sense: if we increase the length of the classical inputs x, y, we require more classical 
computing power of the honest prover, whereas more quantum resources (EPR pairs) are required 
by the adversary to break the protocol. To the best of our knowledge, such a trade-off has never 
been observed for a quantum-cryptographic protocol. 

In order to analyze the security of the protocol PV qubit , we define the following communica- 
tion game in which Alice and Bob play the roles of the adversarial attackers of PV qubit . Alice 
starts with an unknown qubit |</>) and a classical n-bit string x while Bob holds the n-bit string 
y. They also share some quantum state \t})ab and both players know the Boolean function 
/ : {0, 1}™ x {0, 1}" — > {0, 1}. The players are allowed one round of simultaneous classical com- 
munication combined with arbitrary local quantum operations. When f(x,y) — 0, Alice should 
be in possession of the state \<j>) at the end of the protocol and on f(x, y) = 1, Bob should hold it. 

As a simple example consider the case where f(x, y) = x © y, the exclusive OR function, with 
1-bit inputs x and y. Alice and Bob then have the following way of performing this task perfectly 
by using a pre-shared quantum state consisting of three EPR pairs. Label the first two EPR 
pairs and 1. Alice teleports \<j)) to Bob using the pair labeled with her input x. This yields 
measurement result i e {0,1,2, 3}, while Bob teleports his half of the EPR pair labeled y to Alice 
using his half of the third EPR pair while obtaining measurement outcome j e {0, 1,2,3} . In 
the round of simultaneous communication, both players send the classical measurement results 
and their inputs x or y to the other player. If x © y = 1, i.e. x and y are different bits, Bob can 
apply the Pauli operator cr, to his half of the EPR pair labeled x — y © 1, correctly recovering \<f>). 
Similarly, if x © y = 0, it is easy to check that Alice can recover the qubit by applying UiOj to her 
half of the third EPR pair. 

If Alice and Bob are constrained to the types of actions in the example above, i.e., if they are 
restricted to teleporting the quantum state back and forth depending on their classical inputs, 
this leads to the following notion of garden-hose game and garden-hose complexity 

4.2 Definition of the Garden-Hose Game 

Alice and Bob get n-bit input strings x and y, respectively. Their goal is to "compute" an 
agreed-upon Boolean function / : {0, 1}™ x {0, 1}™ — > {0, 1} on these inputs, in the following 
way. We assume that Alice and Bob have s pipes between them. Depending on their respective 
classical inputs x and y, they connect their ends of the pipes with pieces of hose, of which they 
have an unlimited amount. Note however, that we do not allow "T-pieces" (or more complicated 
constructions) of hose which connect two or more pipes to one, or vice versa; only one-to-one 
connections are allowed. Alice has a source of water which she connects to one of the pipes, and 
then she turns on the water. It is easy to check that the water will flow out on either of the 
sides, i.e. no "deadlocks" are possible. The players succeed in computing / (we may also say: they 
win the garden-hose game), if the water comes out of one of the pipes on Alice's side whenever 
f(x, y) — 0, and the water comes out of one of the pipes on Bob's side whenever f(x, y) = 1. Note 
that it does not matter out of which pipe the water flows, only on which side it flows. We stress 
once more that what makes the game non-trivial is that Alice and Bob must do their "plumbing" 
based on their local input only, and they are not allowed to communicate. We refer to Figure 4.2 
for an illustration of computing the XOR function in the garden-hose model. 

We can translate any strategy of Alice and Bob in the garden-hose game to a perfect quantum 
attack of PV qubit by using one EPR pair per pipe and performing Bell measurements where the 
players connect the pipes. Our hope is that also the converse is true in spirit: if many pipes are 
required to compute /, say we need supcrpolynomially many, then the number of EPR pairs needed 
for Alice and Bob to successfully break PV qubit with probability close to 1 by means of an arbitrary 
attack (not restricted to Bell measurements on EPR pairs) should also be superpolynomial. We 
leave this as an interesting problem for future research. We stress that for this application, a 
polynomial lower bound on the number of pipes, and thus on the number of EPR pairs, is already 
interesting. 



1G 



Alice Bob 




Figure 4.2: Garden-hose game for the XOR function. 

We formalize the above description of the garden-hose game, given in terms of pipes and 
hoses etc., by means of rigorous graph-theoretic terminology. However, we feel that the above 
terminology captures the notion of a garden-hose game very well, and thus we sometimes use 
the above "watery" terminology. We start with a balanced bi-partite graph (A U B, E) which 
is 1-rcgular and where the cardinality of A and B is \A\ = \B\ = s, for an arbitrary large 
s G N. We slightly abuse notation and denote both the vertices in A and in B by the integers 
1, . . . , s. If we need to distinguish i € A from i G B, we use the notation i A and i B . We may 
assume that E consists of the edges that connect i G A with i £ B for every i G {1, . . . , s}, i.e., 
E = {{i A ,i B } : 1 < i < s}. These ed ges in E are the pipes in the above terminology. We now 
extend the graph to (A U B,E) by adding a vertex to A, resulting in A Q = A U {0}. This 
vertex corresponds to the water tap, which Alice can connect to one of the pipes. Given a Boolean 
function / : {0, 1}™ x {0, 1}™ — > {0, 1}, consider now two functions Ea and E B \ both take as input 
a string in {0, 1}" and output a set of edges (without self loops). For any x, y G {0, 1}™, Ea (x) 
is a set of edges on the vertices A Q and Eb(u) is a set of edges on the vertices B, so that the 
resulting graphs (A ,Ea (x)) and (B,E B (y)) have maximum degree at most 1. Ea (x) consists 
of the connections among the pipes (and the tap) on Alice's side (on input x), and correspondingly 
for E B (y). For any x, y G {0, 1}™, we now define the graph G(x, y) = (A UB, EUEa {x) UE B (y)) 
by adding the edges Ea (x) and E B (y) to E. G{x 1 y) consists of the pipes with the connections 
added by Alice and Bob. Note that the vertex G A Q has degree at most 1, and the graph G(x, y) 
has maximum degree at most two 2; it follows that the maximal path Tr(x,y) that starts at the 
vertex G A Q is uniquely determined. tt(x, y) represents the flow of the water, and the endpoint of 
Tr(x,y) determines whether the water comes out on Alice or on Bob's side (depending on whether 
it is in A or in B). 

Definition 4.1. A garden-hose game is given by a graph function G : (x,y) M> G(x,y) as 
described above. The number of pipes s is called the size of G, and is denoted as s(G). A 
garden-hose game G is said to compute a Boolean function / : {0,1}™ x {0,1}™ — > {0,1} if 
the endpoint of the maximal path ir(x, y) starting at is in A whenever f(x, y) = and in B 
whenever f(x,y) = 1. 

Definition 4.2. The (deterministic) garden-hose complexity of a Boolean function / : {0, 1}" x 
{0, 1}™ — > {0, 1} is the size s(G) of the smallest garden-hose game G that computes /. We denote 
it by GH(f). 

We start with a simple upper bound on GH(f) which is implicitly proven in the attack on 
Scheme II in [KMS11]]. 
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Proposition 4.3. For every Boolean function f : {0, 1}™ x {0, 1}™ — > {0, 1}, the garden-hose 
complexity is at most GH(f) < 2™ + 1. 

Proof. We identify {0, 1}™ with {1, . . . , 2"} in the natural way. For s = 2" + 1 and the resulting 
bipartite graph (A L)B, E), we can define Ea and Eb as follows. Ea q (x) is set to {(0, x)}, meaning 
that Alice connects the tap with the pipe labeled by her input x. To define Eb, group the set 
Z{y) = {0, 1} : /(a, y) = 0} arbitrarily into disjoint pairs {a\, a2}U {03, a^U . . .L){a<_i, a^} 
and set Es(y) — {{a-i, ^2} , {^3, 04} , ■ • ■ , {cii-i, <^}}. If t = \Z(y)\ is odd so that the decomposition 
into pairs results in a left-over {ai}, then ag is connected with the "reserve" pipe labeled by 2™ + 1. 

By construction, if x € Z(y) then x = cij for some i, and thus pipe x — cij is connected on Bob's 
side with pipe a^_i or Oj+i, depending on the parity of i, or with the "reserve" pipe, and thus 
Tr(x,y) is of the form Tr(x,y) = (0,x A ,x B ,v B ,v A ), ending in A Q . On the other hand, if x £ Z(y), 
then pipe x is not connected on Bob's side, and thus n(x,y) — (0,x A ,x B ), ending in B. This 
proves the claim. □ 

We notice that the same proof shows that the garden-hose complexity GH(f) is at most 2 fe + 1, 
when k is the one-way communication complexity from Alice to Bob of f. 1 

We introduce the following terminology. We say that a function / : {0, 1}" x {0, 1}" — > {0, 1} 
is obtained from a function g : {0, l} m x {0, l}" 1 — > {0, 1} by local pre-processing if / is of the form 
f(x,y) — g(a(x), (3(y)), where a and (i are arbitrary functions {0, 1}™ — > {0, l} m . The following 
invariance under local preprocessing follows immediately from the definition of the garden-hose 
complexity. 

Lemma 4.4. If f is obtained from g by local pre-processing, then GH{f) < GH{g). 

4.3 Garden-Hose Complexity of Specific Functions 

To get a feel for the kind of things that are possible in the garden-hose model, we will first look 
at upper bounds for the complexity of several functions that are often studied in communication 
complexity settings: 

• Equality: EQ(x, y) = 1 iff x = y 

• Bitwise inner product: IP(x,y) = J2i x iVi ( m °d 2) 

• Majority function: MA3(x,y) = 1 iff Y,i x iVi > Lf J + 1 

4.3.1 Equality 

For a graphical depiction of the protocol, see Figure 4.3. As initialization, Alice first connects the 
source to pipe Rq, effectively letting Bob start with the water. 

We repeat the same pattern, for every i from 1 ton. If y = 0, Bob connects pipe Ri-i to pipe 
and on y = 1, Bob connects pipe Ri-i to pipe Q\. On the other side, Alice connects Ri to 
Q° if x = and she connects Ri to Q\ instead, if x = 1. 

If x and y are different on bit j, then Q v - 3 stays unconnected, so the water will flow out on 
Alice's side, right there. If x and y are equal this situation will never happen, so the water will 
exit at R n , on Bob's side. The strategy uses in + 1 pipes, so we have shown that 

Gff(EQ) <3n + l. 



1 Or if needed, with a small adjustment in the protocol, 2 k + 2 with k the one-way communication complexity 
of Bob to Alice. 
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Alice EqUality Bob 

Start: 

° Source 

Rq 



For every bit i from 1 to re: 



Xi = Xi = 1 yi = yi = 1 








<9i 



Ri 




Figure 4.3: Garden-hose game for the equality function. 



4.3.2 Inner product 

The protocol for inner product is drawn in Figure 4.4. Recall that the inner-product function is 
defined as IP(x,y) = ^2,i x iVi (mod 2). To calculate the bitwise inner product, we might let i go 
from 1 to n, initialize a one-bit result register with the value 0, and flip this bit whenever the AND 
of Xi and yi equals 1. The garden-hose protocol follows a strategy inspired by this idea. 

To start, Alice connects the source to Q", with k the first index for which X& = 1. For every i 
from 1 to n, there are four pipes. If yi = 0, Bob connects Qf to R® and Q\ to R\. If y = 1, Bob 
instead connects to Rj and Q\ to R®. 

Alice does not make any new connections if x^ = 0, and if x^ = 1 she connects R® and Rj to 
R® and R\ respectively, with k the next index for which Xk — 1 ■ If x j is the last bit of x equal to 
1, Alice does nothing with i?? and connects R\ to the pipe labeled End. 

To see why this construction works, we can compare it to the algorithm described earlier. 
The water flowing through R\ corresponds to the result register having value b after step i of the 
algorithm, and the water changes from the top to bottom pipe, or vice versa, when Xj = y, = 1. At 
the last index k for which Xk = 1, the water flows to Alice through the pipe corresponding to the 
final function value. Alice leaves R® unconnected, so the water exits at Alice's side if IP(x, y) = 0. 
She connects R\ to the pipe End, which is unconnected on Bob's side, making the water exit at 
Bob's side if TP(x,y) = 1. 

The strategy uses An + 1 pipes, letting us upper bound the garden-hose complexity with 

GH(JP) < 4n+l. 



4.3.3 Majority 

The majority function equals 1 when on at least half of indices i we have that both Xj = 1 and 
j/» = 1. Our strategy in the garden-hose game is inspired by the following algorithm for majority. 
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Inner product 
Alice Bob 

Start: 




° Source 

Ql, for the first k s.t. Xk = \ 



For every bit i from 1 to n: yi — yi = 1 

\ 




When there is no next (end): 
Alice connects R\ to End instead 

t 

V End 



Figure 4.4: Garden-hose game for the inner-product function. 

We iterate over all indices i from 1 to n and initialize a counter with value 0. For every i, we add 
1 to the counter if both Xi — 1 and j/j = 1. If the value in the counter reaches [Sj + 1, we stop 
and answer 1. Here \_z\ is the floor function which maps a real number z to the largest integer not 
greater z. Otherwise, if we reach the end, we give the answer 0. Our garden-hose strategy works 
in a similar way, with the pipe the water flows through acting as a 'counter'. For simplicity, we 
assume that n is a multiple of 2. It is easy to extend the strategy to also work for odd n. 

See Figure 4.5 for a diagram illustrating the strategy Alice and Bob follow. Alice connects the 
source to Ql, with k the first index for which Xk = 1. For every i from 1 to n, the players have 

n/2 + 1 pipes labeled Q® , . . . Q n J 2 and n/2 + 1 pipes labeled R® , . . . R^ 2 . If yi = 0, Bob connects 
Q™ to R™ for every m from to n/2. If t/j = 1, Bob instead connects Q™ to for every m 

from to n/2 — 1, and leaves Q^ 2 unconnected. 

If Xi = 0, Alice does not make any new connections. Now, look at the case where Xi = 1. Let 
k be the first index greater than i for which Xk = 1. If z is the last index for which xi = 1, Alice 
does nothing. Otherwise, she connects R™ to Q™, for every m from to n/2. 

Having the earlier algorithm in mind, we can see how the garden-hose strategy works by 
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comparing it to the algorithm. The water flowing through pipe Q\ corresponds to the counter 
having value c at step i. Where both Xi = 1 and j/j = 1, the water will go to Bob's side in 
pipe Q\ and return to Alice in pipe R^ +1 ■ The water going back in a lower pipe is equivalent to 
incrementing the counter. When the water was coming in through Q^ 2 and y i = I, the water will 

exit at Bob's side, since Q^ 2 will be unconnected then. The water exiting at Bob corresponds 
to stopping and answering 1 when the counter reaches n/2 + 1. Finally, if there are not enough 
positions i where both Xi = 1 and j/» = 1, the water will exit at Alice at the last i for which Xi = 1. 
In the algorithm this case is equivalent to outputting if the end is reached without terminating 
earlier. 

This strategy uses n + 2 pipes for every i, giving a total upper bound of 

Gff(MAJ) < (n + 2) 2 . 

It is not hard to get a strategy with approximately half this number, we will give a sketch on 
how to modify the strategy to achieve this improvement. For i values 1 to n/2 — 1 we only need 
pipes Q° to Ql and i?° to We can do leave out the other pipes because the counter can 

not have reached the corresponding value, even if all bits of x and y so far were 1. When i has 
values n/2 to n we only need Q l ~ n ^ 2 to Q^ 2 ^ 1 and ^>* +1 ~"/ 2 to ij™/ 2_1 . Leaving these pipes out 
is possible because for low values, at that step, the counter will not be able to reach n/2 + 1, even 
if all remaining bits of x and y are 1. We did not include this improvement in the main strategy 
to keep it simpler, while still keeping the same upper bound of 0(n 2 ), up to constants. 

An interesting thing to note is that equality and inner product can be computed in n steps 
using constant memory, and we are able to find a garden-hose strategy using 0(n) steps. The 
obvious way to compute the majority function needs one counter, using logn memory, and the 
given upper bound for the garden-hose complexity is 0(n 2 ). This already hints at the result given 
in Section 4.5, where we show that any function that can be computed in logarithmic space has 
at most polynomial garden-hose complexity. 

4.4 Encoding Logarithmic-Depth Circuits 

For any function that can be computed by a circuit that has depth logarithmic in the input 
length, we can find a strategy. We use a construction inspired by Barrington's theorem [Bar89], 
for which a proof is given in Section 2.2. Even though the notation coming from the machinery of 
Barrington's theorem is a bit involved, the actual construction in the garden-hose model matches 
the permutation branching programs, whose power follows from Barrington's theorem. 

Theorem 4.5. If f : {0, 1}™ x {0, 1}™ — > {0, 1} is computable in NC 1 , then GH(f) is polynomial 
in n. 

Proof. Define z € {0, l} 2 ™ as the concatenation of the inputs of f(x, y), where x is the part of the 
input Alice holds and Bob has y. We say that / is computable in NC 1 if there exists a circuit 
C with the following properties. The depth d of C is logarithmic in the input length 2n. The 
circuit C has fan-in 2, and consists of only NOT, AND and OR gates. C outputs 1 if and only if 
/ outputs 1 on the same input. 

We define an instruction as a triple (j, «, v), where j is the index to a bit of the input, and fi 
and v are permutations in the symmetric group S5. We define a program as a list of instructions. A 
program evaluates to the product of the value of its instructions. We say that a program computes 
a circuit C if it evaluates to a 5-cycle \x when C is true, and to the identity e when C is false. 

It follows from Barrington's theorem that, given C, we can construct a program P with length 
I at most A d . This P computes /, and has length polynomial in n. Without loss of generality we 
can assume that the instructions alternate between depending on x and depending on y. If the 
instructions do not alternate, it will be easy to modify the construction so that the players can 
locally collect multiple instructions together. We also assume that the number of instructions I is 
even. 
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Figure 4.5: Garden-hose game for the majority function. Note that the Q" 7 ' 2 pipe is left uncon- 
nected on Bob's side whenever y i = \. 



Let Pi be the z-th instruction of P. Alice can evaluate all the odd instructions and Bob knows 
all the even instructions. Recall that if f(x, y) = 0, the product of these evaluations is the identity 
permutation e, and on /(x, y) = 1, the product is some other 5-cycle. Let Pi(a) be the evaluation 
of the i-th instruction acting on the number a. Label pipes Q\, Q\, Q\, Q\, Q\ up to Q\, Q l 2 , Q l 3 , 
Q{, Q l 5 , with / the length of P. 

First, Alice evaluates P\ and connects the source to pipe Q^^y Then, for every odd i up to 
I, Alice connects pipe Q l k to pipe Q l p.^ k y for k from 1 to 5; she connects the pipes according the 
permutation given by the instructions. Because all the odd instructions depend on x, she is able 
to find Pi for every odd i. Bob's actions are similar: for every even i up to I, and k from 1 to 5, 
Bob connects pipe Q\ to pipe Q l p.^ k y At the end, Alice leaves Q[ unconnected and uses 4 pipes 
to let Q l 2 , . . . , Q l b go to Bob. 

Because we linked up the groups of 5 pipes according to the permutations given by the permu- 
tation branching program, if f(x, y) = the identity permutation will be applied in total, so water 
will flow through Q[, correctly exiting at Alice's side. Otherwise, if f(x,y) = 1, the water will go 
through one of the other pipes, since a cycle permutation does not leave any position unchanged, 
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correctly letting the water flow to Bob. 



□ 



4.5 Garden-Hose Complexity and Log-Space Computations 

The following theorem shows that for a large class of functions, a polynomial amount of pipes 
suffices to win the garden-hose game. A function / with an n-bit input is log-space computable 
if there is a deterministic Turing machine M and a constant c, such that M outputs the correct 
value of /, and at most c • logn locations of M's work tapes are ever visited by M's head during 
computation of every input of length n. 

Theorem 4.6. If f : {0, 1}" x {0, 1}™ — > {0, 1} is log-space computable, then GH(f) is polynomial 
in n. 

In combination with Lemma 4.4, it follows immediately that the same conclusion also holds 
for functions that are log-space computable up to local pre-processing, i.e., for any function / : 
{0,1}™ x {0,1}™ — > {0,1} that is obtained from a log-space computable function g : {0, l} m x 
{0, l} m —} {0, 1} by local pre-processing, where m is polynomial in n. Below, in Proposition 4.8, 
we show that log-space up to local pre-processing is also necessary for a polynomial garden-hose 
complexity. 

We will later see (Proposition 4.12) that there exist functions with large garden-hose complex- 
ity However, a negative implication of Theorem 4.6 is that proving the existence of a polynomial- 
time computable function / with exponential garden-hose complexity is at least as hard as sepa- 
rating L from P, a long-standing open problem in complexity theory. 

Corollary 4.7. If there exists a function / : {0, 1}™ x {0, 1}™ — > {0, 1} in P that has superpoly- 
nomial garden-hose complexity, then P^L. 

Proof of Theorem 4-6- Let M be a deterministic Turing machine deciding f(x,y) — 0. We assume 
that M's read-only input tape is of length 2n and contains x on positions 1 to n and y on positions 
n + 1 to 2n. By assumption M uses logarithmic space on its work tapes. 

In this proof, a configuration of M is the location of its tape heads, the state of the Turing 
machine and the content of its work tapes, excluding the content of the read-only input tape. This 
is a slightly different definition than usual, where the content of the input tape is also part of a 
configuration. When using the normal definition (which includes the content of all tapes) , we will 
use the term total configuration. Any configuration of M can be described using a logarithmic 
number of bits, because M uses logarithmic space. 

A Turing machine is called deterministic, if every total configuration has a unique next one. A 
Turing machine is called reversible if in addition to being deterministic, every total configuration 
also has a unique predecessor. An S(n) space-bounded deterministic Turing machine can be 
simulated by a reversible Turing machine in space 0(S(n)) [LMT97]. This means that without 
loss of generality, we can assume M to be a reversible Turing machine, which is crucial for our 
construction. Let M also be oblivious 2 in the tape head movement on the input tape. This can 
be done with only a small increase in space by adding a counter. 

Alice's and Bob's perfect strategies in the garden-hose game are as follows. They list all 
configurations where the head of the input tape is on position n coming from position n + 1. Let 
us call the set of these configurations Ca- Let Cb be the analogous set of configurations where the 
input tape head is on position n + 1 after having been on position n the previous step. Because 
M is oblivious on its input tape, these sets depend only on the function /, but not on the input 
pair (x,y). The number of elements of Ca and Cb is at most polynomial, being exponential in the 
description length of the configurations. Now, for every element in Ca and Cb, the players label 
a pipe with this configuration. Also label \Ca\ pipes ACCEPT and \Cb\ of them REJECT. These 
steps determine the number of pipes needed, Alice and Bob can do this labeling beforehand. 

2 A Turing machine is called oblivious, if the movement in time of the heads only depend on the length of the 
input, known in advance to be 2n, but not on the input itself. For our construction we only require the input tape 
head to have this property. 
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For every configuration in Ca, with corresponding pipe p, Alice runs the Turing machine 
starting from that configuration until it cither accepts, rejects, or until the input tape head reaches 
position n + 1. If the Turing machine accepts, Alice connects p to the first free pipe labeled 
ACCEPT. On a reject, she leaves p unconnected. If the tape head of the input tape reaches 
position n+1, she connects p to the pipe from Cb corresponding to the configuration of the Turing 
machine when that happens. By her knowledge of x, Alice knows the content of the input tape 
on positions 1 to n, but not the other half. Alice also runs M from the starting configuration, 
connecting the water source to a target pipe with a configuration from Cb depending on the 
reached configuration. 

Bob connects the pipes labeled by Cb in an analogous way: He runs the Turing machine 
starting with the configuration with which the pipe is labeled until it halts or the position of the 
input tape head reaches n. On accepting, the pipe is left unconnected and if the Turing machine 
rejects, the pipe is connected to one of the pipes labeled REJECT. Otherwise, the pipe is connected 
to the one labeled with the configuration in Ca, the configuration the Turing machine is in when 
the head on the input tape reached position n. 

In the garden-hose game, only one-to-one connections of pipes are allowed. Therefore, to check 
that the described strategy is a valid one, the simulations of two different configurations from Ca 
should never reach the same configuration in Cb- This is guaranteed by the reversibility of M as 
follows. Consider Alice simulating M starting from different configurations c G Ca and d G Ca- 
We have to check that their simulation can not end at the same d € Cb, because Alice can not 
connect both pipes labeled c and c' to the same d. Because M is reversible, we can in principle 
also simulate M backwards in time starting from a certain configuration. In particular, Alice can 
simulate M backwards starting with configuration d, until the input tape head position reaches 
n + 1. The configuration of M at that time can not simultaneously be c and c', so there will never 
be two different pipes trying to connect to the pipe labeled d. 

It remains to show that, after the players link up their pipes as described, the water comes out 
on Alice's side if M rejects on input (x,y), and that otherwise the water exits at Bob's. We can 
verify the correctness of the described strategy by comparing the flow of the water directly to the 
execution of M. Every pipe the water flows through corresponds to a configuration of M when it 
runs starting from the initial state. So the side on which the water finally exits also corresponds 
to whether M accepts or rejects. □ 

Proposition 4.8. Let f : {0, 1}™ x {0, 1}™ — > {0, 1} be a Boolean function. If GH(f) is polynomial 
(in n), then f is log-space computable up to local pre-processing. 

Proof. Let G be the garden-hose game that achieves s(G) = GH(f). We write s for s(G), the 
number of pipes, and we let Ea and Eb be the underlying edge-picking functions, which on input 
x and y, respectively, output the connections that Alice and Bob apply to the pipes. Note that 
by assumption, s is polynomial. Furthermore, by the restrictions on Ea and Eb, on any input, 
they consist of at most (s + l)/2 connections. 

We need to show that / is of the form f(x,y) — g(a(x), j3(y)), where a and f3 are arbitrary 
functions {0,1}™ — > {0,l} m , / : {0,1}™ x {0, l} m — >■ {0,1} is log-space computable, and m in 
polynomial in n. We define a and (3 as follows. For any i,j/£ {0, 1}", a(x) is simply a natural 
encoding of Ea (x) into {0,l} m , and /3(y) is a natural encoding of E B (y) into {0, 1}"\ In the 
hose-terminology we say that a(x) is a binary encoding of the connections of Alice, and j3{y) is 
an encoding of the connections of Bob. Obviously, this can be done with m of polynomial size. 
Given these encodings, finding the endpoint of the maximum path ir(x,y) starting in can be 
done with logarithmic space: at any point during the computation, the Turing machine only needs 
to maintain a couple of pointers to the inputs and a constant number of binary flags. Thus, the 
function g that computes g(a(x), /3(y)) = f(x,y) is log-space computable in m and thus also in 
n. □ 
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4.6 Lower Bounds 



In this section, we present lower bounds on the number of pipes required to win the garden-hose 
game for particular (classes of) functions. 

Definition 4.9. We call a function / injective for Alice, if for every two different inputs x and x' 
there exists y such that f(x,y) ^ f(x',y). We define injective for Bob in an analogous way: for 
every y ^ y' , there exists x such that f(x,y) ^ f(x,y') holds. 

Proposition 4.10. If f is injective for Bob or f is injective for Alice, then 

GH(f)\og(GH(f))>n. 

Proof. We give the proof when / is injective for Bob. The proof for the case where / is injective for 
Alice is the same. Consider a garden-hose game G that computes /. Let s be its size s(G). Since, 
on Bob's side, every pipe is connected to at most one other pipe, there are at most s s = 2 s lo &( s ) 
possible choices for Eb(v), i.e., the set of connections on Bob's side. Thus, if 2 s lo &( s ) < 2™, it follows 
from the pigeonhole principle that there must exist y and y' in {0, 1}™ for which Es{y) = Eb(jj'), 
and thus for which G(x, y) — G(x,y') for all x € {0, 1}". But this cannot be since G computes / 
and f(x,y) ^ f(x,y') for some x due to the injectivity for Bob. Thus, 2 s l °s( s ) > 2 n which implies 
the claim. □ 

We can use this result to obtain an almost linear lower bound for the functions we looked at in 
Section 4.3. The bitwise inner product, equality and majority functions are all injective for both 
Alice and Bob, giving us the following corollary. 

Corollary 4.11. The functions bitwise inner product, equality and majority have garden-hose 
complexity at least lo ^„) . 

Proposition 4.12. There exist functions f : {0,1}™ x {0,1}™ — > {0,1} for which GH(f) is 
exponential. 

Proof. The existence of functions with an exponential garden-hose complexity can be shown by a 
simple counting argument. There are 2 2 " different functions f(x,y). For a given size s — s(G) 
of G, for every x £ {0, 1}™, there are at most (s + l) s+1 ways to choose the connections Ea (x) 
on Alice's side, and thus there are at most ((s + l) s+1 ) 2 = 2 2 ( s+1 ) lo s( s + 1 ) ways to choose the 
function Ea - Similarly for Eb, there are at most 2 2 " slog ( s ) ways to choose Eb- Thus, there are 
at most 2 2 ' 2 "( s+1 ) lo s( s + 1 ) ways to choose G of size s. Clearly, in order for every function / to 
have a G of size s that computes it, we need that 2 • 2™(s + l)log(,s + 1) > 2 2 ™, and thus that 
(s + 1) log(s + 1) > 2 n_1 , which means that s must be exponential. □ 



4.7 Notes on feasibility 

It is very common in complexity theory to say that an algorithm is efficient when it uses only a 
polynomial amount of resources. This is also the spirit of the upper bound given in Section 4.5, 
where we showed that the garden-hose complexity of a function that can be computed in logarith- 
mic space is at most polynomial. For the task of secure position verification however, a real-world 
adversary is quite limited. A protocol for which the best known attack requires an number of 
EPR pairs that is almost linear in n (the number of classical bits) will certainly be not breakable 
with current technology. The actions of the honest players, on the other hand, are within reach 
to implement, and the basic steps are not much harder than those used in, for example, the BB84 
protocol [BB84]. If a function should actually need a quadratic number of EPR pairs to break, 
such as the best upper bound we have so far for Majority in section 4.3.3, then the corresponding 
protocol will not be breakable in the foreseeable future. 

Of course, we have not proven that the attacks coming from the garden-hose model are optimal; 
it might very well be that for some functions there exist quantum strategies that need much less 
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entanglement than the garden-hose complexity of that function. We do not know of any such 
function right now. 

Since the honest prover also has to execute the function, the most interesting functions to 
look at from a practical perspective will be computable in polynomial time. Since this thesis has 
shown that for any function computable in logarithmic space, the dishonest provers can break the 
protocol using a polynomial number of EPR pairs, a good candidate will be a function / which is 
in P but not known to be in L. 

Looking for a suitable function gives rise to the following question. How can we encode the 
inputs so that the players can not do smart local pre-processing, i.e. solve large parts of the 
problem locally, without needing much of the other half of the input? One way we propose is 
to encode the input with a one-time pad as follows. Given a (hard) function g(z), we define the 
function / that is the objective of the garden-hose game as 

f(x,y) = g{x®y) ■ 

Given an n-bit input to the original problem z, we give Alice the random n-bit string r and Bob 
the n-bit string zffir. 

The strings that Alice and Bob get are both completely random. This makes it harder for 
them to smart pre-processing, since every input is equally likely. Even though there are counter- 
examples possible, it may be a good option to try. A disadvantage of this encoding is that we 
cannot even prove anymore that any of these functions have exponential garden-hose complexity. 
The counting argument in Proposition 4.12 docs not work anymore, since we effectively halve the 
input length from 2n to n. 



4.8 Lower Bounds In The Real World 

In this section, we show that for a function that is injective for Alice or injective for Bob (according 
to Definition 4.9), the dimension of the entangled state the adversaries need to share in order to 
attack protocol PV qubit perfectly has to be of order at least linear in the classical input size n. In 
other words, they require at least a logarithmic number of qubits in order to successfully attack 



4.8.1 Localized Qubits 

Assume we have two bipartite states |V>°) and l^ 1 ) with the property that \ip°) allows Alice to 
locally extract a qubit and lip 1 ) allows Bob to locally extract the same qubit. Intuitively, these 
two states have to be different. 

More formally, we assume that both states consist of five registers R, A, A, B, B where registers 
R, A, B are one-qubit registers and A and B are arbitrary. We assume that there exist local unitary 
transformations U AA and V BB such that 3 

U A aH°)raabb = \P)ra ® \P)abb (4-1) 
V B b\^)raabb = \P)RB ® \Q)aab > (4-2) 

where \/3)ra '■= {\00)ra + \H))ra)/V2 denotes an EPR pair on registers RA and \P)abb an d 
\Q)aab are arbitrary pure states. 

Lemma 4.13. Let lOJV' 1 ) be states that fulfill (4.1) and (4.2). Then, 

|<vV>l 2 <i/4. 

3 We always assume that these transformations act as the identities on the registers we did not specify explicitly. 
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Proof. Multiplying both sides of (4.1) with and multiplying (4.2) with V^ B , we can write 



| tyV> | 2 = | {P\ ra {P\abb U AA VI S \P)rb\Q) aA b I' 
= \(P\ra(P , \abb\P)rb\Q')aab\\ 

where we used that U AA and V BB commute and defined \P ') abb := Vbb\P) abb an d \Q') aab := 

U aa\Q) aab- 

Without loss of generality we can write 

\P')ABB = a\0)B\P^AB + b\^B\Pi)AB- 

Using that 

(P\AB(a\0) A \zi)c + b\l} A \z 2 }c) = "4((00Ub + (n\ AB )(a\0) A \zi)c + b\l) A \z 2 )c) 

v2 

= -L( fl (0| B |z 1 ) c + 6(l| B |z 2 ) c ) , 
for arbitrary registers A, B and C, and arbitrary quantum states \z\) and \z 2 ), we get 

| (V>V> f = | (P\r A (P'\ AB b\P)rb\Q') AA b I 2 

= \W\RA(a^0\ B (P>\ AB + b^l\ B (Pl\ AB )\f3) RB \Qi} AAB \ 2 

= \\ W\RA(a*\0) R (P{hB + b*\l) R (P[\ AB )\Q') AAB | 2 

= \\^(0U(P[ ) \ AB + b*(l\ A (P[\ AB )\Q'} AAB \ 2 
1 

< - . 
~ 4 

In the last step we used that the magnitude of the inner product of two quantum states can never 
exceed 1. □ 

4.8.2 Squeezing Many Vectors in a Small Space 

The standard argument from [NCOO, Section 4.5.4] shows that the number of unit vectors of 
pairwise distance 2e one can fit into a <i-dimensional space is of order \ . 

Note that two vectors with absolute inner product equal to 1/2 = cos(0) have an angle of 
<t> = arccos(l/2) w 1.047 between them. A small geometric calculation show that they are at 
distance 2cos(0/2) w 1.732 from each other. Hence, we can consider anew 0.866 in the statement 
above. 

It follows that if we are trying to squeeze more than ^ in a rf-dimensional space, there will be 
two vectors that are closer than 2s and hence, their inner product is larger than 1/2. 

4.8.3 The Lower Bound 

Theorem 4.14. Let f be infective for Bob. Assume that Alice and Bob perform a perfect attack on 
protocol PV qubit where they communicate only classical information. Then, they need to pre-share 
an entangled state whose dimension is at least linear in n. 

Proof. Let \tp) RAABB be the pure state after Alice received the EPR half from the verifier. The 
one-qubit register R holds the verifier's half of the EPR-pair, the one-qubit register A contains 
Alice's other half of the EPR-pair, the g^-qubit register A is Alice's part of the pre-shared entangled 
state. The registers BB belong to Bob where B holds one qubit and B holds q R qubits. Hence, 
the overall state is a unit vector in a complex Hilbcrt space of dimension d := 2 2+qA+1+qB . 
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In the first step of their attack, Alice performs an arbitrary quantum operation depending 
on her classical input x on her registers A A resulting in a classical outcome s e S. Similarly, 
Bob performs a quantum operation depending on y on registers BB resulting in classical outcome 
t e T. As we restricted the players to classical communication, we can assume without loss of 
generality that their operation is a measurement. 

We investigate the set B of overall states after Bob performed his measurement, but before 
Alice acts on the state. These states depend on Bob's input y e {0, 1}™ and his measurement 
outcome t e T, 

B:={\r- t ) RA ABB--v^{^Y\t^r} . 

The set B contains at least 2™ unit vectors of dimension d. We assume for a contradiction that 
the dimension d is smaller than linear in n. By the results of Section 4.8.2, we know that for 
e w 0.866, 2™ > implies that there are two different unit vectors in B, say |i/> y,t ) and \ip v '* ), 
whose absolute inner product is larger than 1/2. 

We now let Alice act on her registers AA of the state. Note that for every input x £ {0, 1}™, 
performing the same action (depending on x € {0, l} n ) with the same outcome s £ S on the 
two states |i/> y '*) and \ip v '* ) does not decrease their absolute inner product. Let us call the 
states after Alice's actions \'4> x ' s ' v ' t ) raabb anc ^ \^ x ' s ' v '* )raabb- We have just shown that for all 

x g {0,1}", s e s, " 

\ {r ,,,v,t^,.,y',f^ > 1//2 . (4.3) 

However, because / is injective for Bob, there exists x such that f(x,y) ^ f(x,y') and hence, 
the qubit has to end up at different places depending on Bob's input. For such an x (and arbitrary 
s € S, Lemma 4.13 requires that the states are "different", namely that the absolute inner product 
^x,s,y,t^x,s,y ,t ^| neec j s ^ sma u er than 1/2, contradicting (4.3). 

Hence, the dimension d of the overall state needs to be at least linear in n. □ 
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Chapter 



5 



Open 



Questions 



In this thesis, we defined the garden-hose model and gave first results for the analysis of a specific 
scheme for quantum position-based cryptography. This scheme only requires the honest prover to 
work with a single qubit, while the dishonest provers potentially have to manipulate a large quan- 
tum state, making it an appealing scheme to further examine. The garden-hose model captures 
the power of attacks that only use teleportation, giving upper bounds for the general scheme, and 
lower bounds when restricted to these attacks. 

The garden-hose model is a new model of communication complexity, and there are still open 
questions in relation to this model. Can we find better upper and lower bounds for the garden-hose 
complexity of the studied functions? Our constructions still leave a polynomial gap between lower 
and upper bounds for many functions, such as the majority function described in Section 4.3.3. 
It would also be interesting to find an explicit function for which the garden-hose complexity 
is provably large, the counting argument in Proposition 4.12 only shows the existence of such 
functions. 

Another relevant extension to our results would be the examination of the randomized case: If 
we allow Alice and Bob to give the wrong answer with small probability, what are the lower and 
upper bounds we can prove in the garden-hose model? For example, assuming shared randomness 
between Alice and Bob, we can use results from communication complexity to show a large gap 
between the randomized garden-hose complexity of the equality function, and the deterministic 
garden-hose complexity of equality, which we examined in this thesis. 

A possible interesting extra restriction on the garden-hose model would involve limiting the 
computational power of Alice and Bob. For example to polynomial time, or the output of quantum 
circuits of polynomial size. By bounding not only the amount of entanglement, but also the amount 
of computation with a realistic limit, perhaps stronger security proofs are possible. 

We can also sec multiple interesting open questions when we include the quantum aspects of the 
problem. First we have the relation between the garden-hose complexity and the entanglement 
actually needed to break the position-verification scheme. Are there quantum attacks on our 
protocol for position verification that need asymptotically less entanglement than the garden-hose 
complexity? Here it would also be interesting to look at the randomized case. Can we prove 
lower bounds, and better upper bounds, if we allow the dishonest provers to make a small error? 
The garden-hose lower bounds and quantum lower bounds, given in this thesis in Section 4.6 and 
Section 4.8 respectively, have an exponential gap between them. Reducing this gap would give 
more insight into the relative power of all possible quantum actions to only teleportation, where 
the garden-hose game captures the power of attack strategies that just use teleportation. 

As a final question, we can ask: How does the protocol behave under parallel repetition? When 
executing the protocol once, the dishonest provers always have a large probability of cheating the 
verifiers; even the nai've method of measuring the qubit and distributing the result will work with 
a probability of at least 0.75. By using the protocol multiple times in parallel, given a situation 
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where the adversaries have a small error, it might be possible to increase the probability that the 
dishonest provers are caught to arbitrarily close to 1. However, from complexity theory we know 
similar situations where provers can achieve a lower error probability than expected on first sight. 
In our setting, it remains to be proven that we can always amplify the probability of the cheaters 
getting caught. 
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